Wednesday, January 07, 2009

I've been meaning to write about this for some time, but CA's acquisition of Orchestria (which I wrote about here) just happened to be the compelling event that kick-started my thought processes.

I don't think anyone's completely worked out how Identity Management (IDM) and Data Leakage Prevention (DLP) or even data security in general should (or will) come together just yet. During my time working in the data security arena, IDM was typically an afterthought in most of the environments I dealt with.

My view for quite a while has been that IDM and DLP go together because in a unified solution, there is a more complete security context with which access control decisions can be made.

DLP products at the moment are VERY data-centric. Policies tend to not cater for identities, roles or access controls but rather what data is being accessed, how people are trying to access it, where they are accessing it from and what they are trying to do with it. Sound familiar? It should if you've had anything to do with IDM or information security in general, but hold that thought. From a data security standpoint however, DLP is about data identification, classification, usage and wrapping controls around it all. Or as a customer's CEO once said during my time at Verdasys, "protect my data but don't get in the way of my business".

IDM on the other hand, is more about controlling access to resources and wrapping it all up with an "accountability" ribbon. I'm over-simplifying of course, because there's all the automation bits and pieces that lead to more efficient processes and so on that I've completely ignored, but bear with me for now because the point here isn't to define IDM to the nth degree.

Allow me to take a step back for a minute and try to distill what it is that information security professionals are trying to solve when we talk about protecting organisational assets. It's not actually that complicated. An organisation has a "bunch of things all over the shop". There are buildings, rooms, offices, applications, databases, file systems, servers, disks, CDs, DVDs, USBs and all sorts of other bits and pieces. There's also bits of paper lying on desks, but technology can't fix that directly. It's more about security awareness and training, but I digress. Back to the point at hand...

The "things all over the shop" are essentially just a means to an end. They are required to house company resources and at the core of these company resources is information. Information in its most basic form is data. This is my long winded way of saying that all we're trying to do is protect access to data and control how it is used. Even all that Governance, Risk and Compliance (GRC) hullabaloo is about making sure data is not misused and if it somehow is, that there is end-to-end traceability, accountability and transparency so you can forensically figure out what happened. Of course, if you had protected that data properly in the first place, there should be no need to go hunting for the smoking gun. But 100% security is a pipe dream, hence the need for a good audit trail (which itself is also data - and can be modified to hide illegal activities if not protected).

So let's recap. You can name all the company assets you like that security tries to protect, but in the end we are trying to protect data and control how it is used. Most things tie back in some way to the "organisational crown jewel" that is information. i.e. data. That's why our profession is usually referred to as "Information Security". What does this mean? IDM tries to protect data. DLP also tries to protect data. The difference is the approach and focus.

IDM attempts to address this by focusing on people and process in a "business centric" manner. DLP or data security (to use a broader term) attempts to address this in a data-centric, "bits and bytes" manner. In some ways, you could view IDM as a top-down approach while DLP is bottom-up. This is the crux of why I've thought for quite some time that IDM and DLP/data security go hand in hand (my obvious self-interests aside): IDM keeps trying to gain additional contextual information to make better access control decisions and DLP keeps trying to make business sense of all this data flying around.

Because IDM focuses on business, people and process, quite often it's the low-level things that are more difficult because there are more unknowns. That is, the things you don't know about that you need to figure out. If there is no automated way to do so, it can take a lot more time. That's why there's a market for products that claim to address risk management, role mining, identity mining and security monitoring. These are some of the typical gaps that need filling whenever you implement an Enterprise Identity and Access Management programme. They need to be filled so you can use them as input to implement proper security policies that are aligned with business and reality instead of the "out of the box" policies you get from the vendor.

One of the most crucial low-level considerations is in trying to figure out what you're trying to protect. Quite often, the consultants will only go as far as the applications. Access controls are more often than not very course-grained. With the advent of all the entitlement management initiatives floating around today, access control is starting to get more fine-grained but they can only go as far as discrete actions people make within the IT environment based on a pre-configured set of policies based on statically defined resources.

In other words, a resource will be defined a certain way until an administrator changes the definition. The blind spot is actually the underlying information or data associated with the resource, which is a key part of this thing we call the security context that's required to make an enforcement decision. Information is dynamic and as such many resources are dynamic by nature. For example, one moment a document might be sensitive but the next moment not because someone deleted all the sensitive information. This dynamic nature of organisational resources is something the IDM software vendors haven't quite solved yet, although Oracle's Adaptive Access Manager is a step in the right direction (I wrote about this here). The reason they have not solved this is largely because much of it is based on information and data being taken into consideration when making access control decisions in real time.

DLP products do a pretty good job of identifying data at rest (e.g. on disk or in databases), data in motion (e.g. across the network or actively being used by people), classifying information and enforcing controls on actions based on security policies. They are typically lacking in the following aspects:

Providing an easy way to tie their policies into a central policy management point across multiple systems (which is what Symantec and McAfee are trying to do).

Having any notion of identity awareness beyond being able link policies back to distinct user accounts (i.e. personas instead of actual identities) or roles within a particular namespace (e.g. a particular application). For example, in many cases the only notion of identity is someone's Active Directory account and Active Directory role memberships.

The first point is something the large vendors (such as CA) should be able to address given that it's something they should be looking to do with their existing security products.

The second point is important because many DLP customers are starting to include things such as behavioural analysis and more "pro-active security measures" on their wish-lists for product features. The problem is that to be able to do this in a useful manner, the products need to be identity aware.

Information security has always been reactive. Many products come out with "whiz-bang" features that claim to be "intelligent" but the reality is that organisations only fix things once something bad happens. I'm not taking a swipe at operational security in general. All I'm saying is that information security professionals can only be as good as the limits of the tools available will allow them to be. The promise for a long time has been that there would be more products that allow for the operational security teams to be pro-active or better still, have software make decisions adaptively based on real-time threats instead of using static, potentially outdated policies based on assumptions made that could cause issues because of potential "blind spots".

IDM and data security are complementary. Each goes a long way towards addressing the other one's shortcomings and blind spots (although not completely). The key is that we need to figure out how to put it all together so that we can get closer to the reality of pro-active security measures. A data-aware Identity and Access Management infrastracture allows for micro-grained, dynamic, adaptive access controls and more context-aware policies and controls.

I should note that this post focuses on the acquisition. I'll be doing a follow-up post regarding why I think IDM and DLP are complementary solutions and fit well together.

CA are one of the leaders in the Identity and Access Management software marketplace. Most would group them with IBM, Oracle and Sun as the leaders. As I've said recently, they've been going from strength to strength and I probably don't need to say too much more about them at the moment.

Orchestria are a very strong player in the DLP space and well respected. They are a very strong competitor to Symantec (they acquired Vontu, who many considered to be the leader in DLP software) and have the typical DLP components covered off: endpoint controls, network monitoring, data-at-rest capabilities and email server controls. I haven't actually seen their products in action so I can't comment on whether they can do everything they claim, but they tick most of the boxes on a marketing slide and in RFPs. In other words, CA made a good choice in picking Orchestria from a "perception" standpoint. If the technology works as specified, they're on to a winner.

What this means is that CA's got a head-start on everyone else. It'll be interesting to see what they do with it. Early signs are good because they've already stated they see close links with their IDM suite. They may need to watch IBM because IBM ISS offers a data security managed service, but IBM as a whole will never be able to get their act together to compete (if someone wants a combined IDM + DLP solution) unless Tivoli acquires the other vendors mentioned (one of which is Verdasys, who I used to work for). As an aside, the gentleman who runs CA's Identity and Access Management EMEA organisation knows his DLP. How do I know this? Because we used to be colleagues at Verdasys. So there's another "tick in the box" for CA.

I haven't been able to find other commentary on this acquisition (apart from publications spitting out the press release) except for this article from NetworkWorld. Dave Hansen, CA's corporate senior vice president and general manager, CA Security Management is quoted as saying:

"We were not competing in this space, and our two main competitors don't have data-leak prevention."

He's referring to IBM and Oracle if my interpretation of the article is correct (he's mostly right if you don't count the IBM ISS capabilities I mentioned above - I think he's referring to IBM Tivoli Software though so I'll let it pass). In fact, the only Identity and Access Management vendor that sells DLP software is RSA (via their acquisition of Tablus) in the form of their DLP Suite. Unfortunately for RSA, they still don't have a provisioning product, which is why none of the large IDM suite vendors ever thinks of them as being a serious competitor. I should point out that Novell has some data security stuff, but nothing that would make anyone take them seriously.

I don't mean to pick on the article, but what's the point of mentioning Symantec? It might as well have said McAfee...or Trend Micro...or any vendor that has Antivirus products and claims to also do DLP. Kaspersky, Checkpoint, Sophos...I could go on but I won't. I think the writer's referring to the fact that CA and Symantec are competitors in the security market, but we're talking Antivirus products and NOT Identity and Access Management software (where Symantec are not a player).